Scotland

A GDPR and DPA The ICO has similar enforcement powers under the GDPR and DPA as it had under the Data Protection Act 1998. One change is that the potential maximum fine for a breach has increased to €20 million or 4% of a company’s worldwide annual turnover (whichever is higher), although this will vary depending on the nature and seriousness of the breach.
The ICO also has powers, in England and Wales, to bring prosecutions in relation to criminal offences under the DPA. In Scotland, the Crown Office (the Procurator Fiscal or Her Majesty's Advocate) – as opposed to the ICO – is responsible for the prosecution of criminal offences under the DPA. See question 5 below.
B RIPA The Secretaries of State for Defence, Foreign Affairs and the Home Office (or, if issued by Scottish Ministers, a member of the Scottish Executive) have the power to issue a warrant. The interception offence carries a maximum two-year prison sentence and may only be prosecuted with consent of the Director of Public Prosecutions. Anyone unintentionally intercepting communications may be fined up to £50,000 by the Investigatory Powers Commissioner’s Office (“IPCO”), which replaced the Interception of Communications Commissioner as the body responsible for reviewing the use of investigatory powers by public authorities.